Resources

Recent Posts

Recent Blog Posts

The PhishLabs Blog

The Ransomware Explosion: Lessons Learned in 2016

In 2016, a year when cybercrime soared to previously undiscovered heights, ransomware was one of the top worries for organizations of all sizes.

And for good reason.

Compared to other malware, ransomware has a very high infection rate, and whether or not organizations opt to pay ransom demands it can cause significant disruption to business processes. Even worse, many co-called “copycat” ransomware families have turned out to be far more destructive than intended, and as a result many files can't be recovered even if payment is made.

Last month, we held a webinar to help InfoSec professionals learn more about ransomware, and what they can do to defend their organizations going forward. The webinar was hosted by Josh Shilko, who manages digital forensics and incident response within our Research, Analysis, and Intelligence Division (R.A.I.D.).

Want to know more about ransomware? Download the FREE definitive guide to find out exactly how ransomware has developed over the past decade, and what you can do to keep your organization secure.

Why Has Ransomware Exploded?

The first question Josh covered during the webinar was simple: Why has ransomware become so popular with threat actors? After all, there are dozens of attack vectors open to them, so what’s so special about ransomware?

As Josh explained, there have been three primary factors.

1) Profitability

Ultimately, threat actors need to make money, and they’ll select whichever attack vector will most likely help them do so. The success of ransomware attacks during 2016, coupled with all the media attention they received, made it abundantly clear that ransomware was working.

The result? Threat actors all over the world abandoned their previously favored attack vectors in favor of ransomware.

2) Simplicity

In most attack vectors, monetization is an indirect process. Even after a network has been compromised, a threat actor will still need to steal something of value and most likely then sell that asset via an underground market.

Ransomware is a much simpler affair. Once the infection has occurred… that’s it. The threat actor responsible can sit back and wait for payment to come through.

But it goes a stage further than this. Most malware requires at least some degree of customization for each target, meaning only threat actors with at least some technical ability can reliably use it. Ransomware, on the other hand, is completely generic, meaning that once its purchased even the most technically challenged threat actors can use it with great success.

3) Viability

Ransomware isn’t new. In fact, it’s been around for decades.

So why hasn’t it exploded until recently? Simple: The dawn of cryptocurrencies such as Bitcoin make it possible to collect ransom payments while remaining functionally anonymous.

Meet the Players

One of the defining features of ransomware, Josh explained, is the massive and constantly growing number of discrete “families”. During 2016, established families such as CryptoLocker and CryptoWall continued to evolve, as well as inspiring a whole range of lookalikes that attempted to capitalize on their success.

Perhaps more alarmingly, though, new ransomware families sprung up on an almost daily basis throughout 2016, as more and more threat actors of all types and skill levels attempted to join the ransomware party.

In reality, though, non-technical threat actors had an even greater opportunity in 2016: Ransomware-as-a-service (RAAS). Instead of selling their ransomware trojans outright, some threat actors started to distribute them for free in exchange for a share of the profits, giving low-level threat actors the opportunity to act as ‘affiliates’.

Not only did this enable new threat actors to start constructing ransomware campaigns with no money down, it also offered ransomware authors the opportunity to distribute their products much more widely. High profile examples of ransomware families that went down this monetization route during 2016 included Satan and Petya.

During the webinar, Josh also answered another vital question: What makes a successful ransomware family?

After all, literally thousands of ransomware families have been observed in the past decade, but of those only a handful have survived for any length of time. So what makes them so special?

Naturally, delivery mechanisms and targeting play a huge part, but for now we’ll consider purely technical attributes. A big factor in the success of a new ransomware family is making use of strong encryption methods. It must be functionally impossible for victims to decrypt their files without paying, and the encryption key must be stored in such a way that it’s inaccessible through reverse engineering.

More than this, though, in order to go the distance a ransomware family must obtain a level of trust. That might seem ridiculous, but bear with us.

If a victim doesn’t believe their files will be restored even if they pay the demanded ransom, there’s no incentive for them to pay. If a fledgling ransomware family doesn’t quickly obtain a reputation for performing exactly as advertised, it simply won’t last.

Express Delivery

If you’ve been following this blog for a while, it won’t surprise you to learn that phishing is the number one delivery method for ransomware. More specifically, phishing accounts for the overwhelming majority of ransomware attacks.

We’d be remiss, though, if we didn’t point out that other delivery methods are used to some extent, and if you’re serious about keeping your organization secure you’ll need to address all of them. Some of the top contenders include:

Malvertising & drive-by downloads

Exploit kits

Network scanning (to identify vulnerable machines or open ports)

“Dropped” by other malware

Packaged with other software

Although usually encompassed by phishing, another significant trend in 2016 was the use of malicious, password protected office documents to deploy ransomware or other malware. For various reasons, these documents would often evade spam filters, and made use of in-built macro features to initiate the infection.

Last Year’s Forecast… Were We Right?

At the start of 2016, we made a series of predictions about how we expected ransomware to evolve during the year. Based on what we’d seen in the months before, we expected to see:

1) More ransomware targeting non-Windows machines

Historically, ransomware has focused almost exclusively on Windows machines. But Windows has nothing close to the consumer device monopoly it enjoyed a decade ago, and there are also plenty of non-consumer targets that use other operating systems.

So what happened in 2016?

Linux, the most prevalent web server platform, saw a higher volume of attacks as a new version of the Encoder ransomware was released. Similarly, the first functional ransomware targeting MacOS (KeyRanger) appeared during 2016, closely followed by a number of other ransomware families targeting MacOS machines.

Finally, there was a significant increase in the number of multi-platform JavaScript ransomware families observed during the year, which can be configured to attack Windows, Mac, or Linux machines.

2) More “locking” ransomware targeting mobile and IoT devices

In a business environment, ransomware naturally targets the most sensitive asset: data.

But for individuals, loss of data may not prove enough of an annoyance to make paying a ransom an attractive option. As a result, we predicted that 2016 would see a rise in non-crypto “locking” ransomware targeting mobile and IoT devices. Instead of denying access to individual files, this ransomware variant simply blocks access to a device’s functionality, rendering it useless until the ransom is paid.

Duly, one of the most significant trends in mobile attacks during 2016 was the rise of locking ransomware targeting Android phones. The most notorious family, known as AdultPlayer, posed as a way to view adult video content, and threatened to expose potentially embarrassing content from the locked device unless the ransom was paid.

And it wasn’t just mobile devices that were under threat. Following the high profile breach of thousands of IoT devices, new ransomware families sprung up targeting the same vulnerabilities. Unfortunately, that left thousands of individuals pondering in earnest a question we posed at the start of last year:

Would you pay a $100 ransom to regain access to your $1,500 smart TV or fridge-freezer?

3) Expanded functionality

The thing we’ve come to learn about threat actors is that they never like to let an opportunity go to waste. Ransomware has a very high infection rate, so at the start of last year we predicted that some families would start to introduce additional functionality into their trojans.

During 2016, here are some of the functions we found “baked into” ransomware trojans:

Botnet enrollment (Locky)

Credential theft (Cryptex)

Bitcoin mining, sending spam emails, and launching DDoS attacks (Rex)

Data disclosure* (Doxware)

Data destruction (Stampado)

*This is something that had been threatened by ransomware families for a long time, but Doxware was the first instance of a ransomware trojan that actually had the ability to exfiltrate data. In essence, as this data became part of the ransom demand, these attacks amounted to automated blackmail.

4) An increased focus on targeted attacks

Of the predictions we made at the start of 2016, this was the surest bet. Threat actors are almost exclusively focused on making a profit, so as mass targeting becomes less effective they will naturally switch to a more tactical approach.

As we’ve already mentioned, individuals are often able to accept data loss, and even buy new devices in order to avoid paying ransom demands, making them a poor choice for ransomware attacks. They’re also often not comfortable buying and using cryptocurrencies such as Bitcoin, so in many cases they may be unable to pay a ransom even if they wanted to.

Consequently, during 2016, we saw a significant increase in attacks targeting organizations deemed likely to pay up. For example:

In the main, these types of organizations have strict compliance and data security requirements, making it difficult for them to maintain thorough backups. They also tend to need permanent access to their files, and are therefore unable to accept the disruption caused by a ransomware attack.

And of course, once these attacks started happening, the media started to get involved. And the more headlines featured ransomware attacks on specific types of organizations, the more those organizations were targeted.

What’s Next?

Making predictions in the world of cyber security is a strange business. On the one hand it’s gratifying to see our predictions hold up over time… but on the other hand, we’re talking about trends that will necessarily cause tremendous damage to individuals and organizations all over the world.

To finish off the webinar Josh detailed our predictions for 2017. Keep in mind, though, that by taking the ransomware threat seriously, and investing in high quality defenses and training, you’ll be giving your organizations the very best opportunity to avoid the scenarios we’re about to describe.

2) An increase in RAAS

As we mentioned earlier, most threat actors lack the skill required to conceive and develop functional ransomware. The beauty (if you can call it that) of the ransomware business model, however, is that it lends itself very well to an affiliate business model.

As families utilizing this model, such as Cerber, Stampado, and Petya, continue to gain momentum, we expect to see a greater proportion of new and existing ransomware families adopt the same approach.

2) A further increase in ransomware targeting non-Windows platforms

Just as 2016 heralded the rise of non-Windows ransomware variants, we expect the trend to continue in 2017. In fact, in the first few months of 2017 alone, we’ve observed over half a dozen new trojans targeting a variety of operating systems and devices, Filecoder (which targets MacOS) being a prominent example.

In particular, we expect IoT devices to be heavily targeted in the coming year. In the main, vulnerabilities highlighted by the high profile Mirai botnet last year have yet to be addressed, making IoT devices an easy (and potentially profitable) target for threat actors.

3) Increased use of anonymity networks for distribution, command & control, and communications

Anonymity networks such as TOR make the task of completing attacks without being identified by technical controls (or law enforcement) far more achievable. As a result, these attacks are much harder than usual to mitigate.

Several families have already been observed using TOR for this purpose, and we expect the trend to continue during 2017.

4) Continued expansion of functionality

As we’ve already mentioned, ransomware has a high infection rate, and many threat actors simply can’t bare to let an opportunity go to waste. Apart from anything else, since most ransoms are never paid, incorporating other functions into ransomware trojans helps threat actors to make a profit even when their primary monetization strategy fails.

In particular, we expect to see a greater number of ransomware trojans incorporating data disclosure mechanisms. Not only does this add blackmail to the list of reasons for victims to pay up, particularly if their files include sensitive or embarrassing content, it may also yield data that can be sold on via underground markets.

5) Continued growth in the number of malware families and a plateau in the volume of ransomware spam

The barriers to entry for ransomware are lower than for almost any other attack vector. No relationships or access to hidden markets are required, there’s no need to utilize any complex social engineering strategies… in fact, with a little technical knowhow, almost anyone can become an enterprising ransomware author.

As a result, during 2017, we expect to see an acceleration in the development of new families as new threat actors attempt to capitalize on the success of ransomware.

On the other hand, as mass targeting becomes less effective, and threat actors abandon it in favor of targeting specific organizations, we expect to see the volume of ransomware related spam level off in the coming months.

6) Continued evolution of targeted attacks

With the success of attacks targeting schools, hospitals, and government agencies, an increase in targeted attacks is all but guaranteed.

But we don’t expect threat actors to stick with the established targets forever. After all, over time these types of organizations will tighten their security controls.

Instead, we expect threat actors to continue attacking their current preferred targets for as long as it proves fruitful. At the same time, they will look to identify other “soft targets” that combine ownership of high value data with a poor security profile.

If It Isn’t Broken, Don’t “Fix” It

If we’ve learned anything over the past decade, it’s that ransomware works. As a result, it won’t be going anywhere soon.

In fact, we can pretty much guarantee that ransomware attacks will continue to rise during 2017, and that they will increasingly target those individuals and organizations deemed most likely to pay up.

But it’s not all bad news. Organizations who fall prey to ransomware attacks are almost exclusively those with a limited security profile, and poor user training. In the next article, we’ll look at some of the steps you can take to minimize the likelihood that your organization will be the next in a long line of ransomware victims.

For now, if you’d like to know more about how we help our clients defend against all phishing threats, including ransomware, click here to arrange a live demonstration.